Job Description
As Yahoo, our brands help people stay informed and entertained, communicate and transact, while creating new ways for advertisers and partners to connect. With technologies like XR, AI and machine-learning we’re transforming media for tomorrow, too. We're creators and coders, dreamers and doers creating what's next in content, advertising and technology.
About Our Team
When you impact millions of people every day, you become a large target for adversaries of all types within all layers of the stack. Our job is to keep our users safe and make Yahoo one of the safest places on the Internet. We are the information security team at Yahoo; known as "The Paranoids".
Responsibilities
As a Paranoids Product Security Engineer, you have the opportunity to guide secure development for a product area and in addition, own and drive secure development initiatives affecting the overall enterprise.
Activities include the following:
Independently lead application and mobile security assessments, from design to deployment, for key enterprise products.
Drive threat modeling and risk assessments for high-impact systems, guiding engineering teams through secure design trade-offs.
Partner with developers to embed security into build and release pipelines, and identify opportunities for automation.
Develop and maintain internal security tooling and reusable frameworks to scale security across teams.
Lead the remediation of critical vulnerabilities and help coordinate with incident response when needed.
Mentor other security engineers and advocate for secure development practices across product and engineering teams.
Collaborate cross-functionally with cloud security, infrastructure, and compliance teams to ensure holistic protection of applications and data.
Stay informed on emerging threats, frameworks, and technologies, and proactively improve security posture through innovation.
Minimum Requirements:
5 years of experience in application or product security, with demonstrated impact securing large-scale web and/or mobile applications.
Deep understanding of secure application architecture, including authentication, authorization, encryption, and data protection across distributed systems.
Proven hands-on experience performing threat modeling, secure design reviews, and code assessments for complex applications and APIs.
Strong technical knowledge of web technologies (HTTP, TLS, CSP, cookies, OAuth, JWTs, GraphQL, REST APIs) and mobile security (iOS/Android app security models, keychains, secure storage, code obfuscation).
Proficiency using and integrating application security tooling (SAST, DAST, IAST, dependency scanning, container scanning) into CI/CD pipelines.
Practical experience with vulnerability triage and remediation workflows — coordinating across engineering teams to ensure timely fixes.
Hands-on skills in at least one backend or systems programming language (e.g., Go, Java, Python, C#) and one frontend or mobile language (e.g., JavaScript/TypeScript, Swift, Kotlin).
Experience contributing to or automating security testing and validation in continuous integration environments.
Strong ability to communicate security risks and solutions clearly to engineers, managers, and non-technical stakeholders.
Track record of driving security improvements across teams — through frameworks, documentation, training, or developer engagement.
Preferred
Experience designing and maintaining secure frameworks or libraries used by multiple engineering teams.
Familiarity with cloud-native application security (AWS/GCP/Azure), identity and access management, and secrets management.
Experience leading or mentoring junior engineers in secure coding, threat modeling, and vulnerability management.
Background with mobile application hardening, anti-tampering, and reverse engineering defenses.
Understanding of supply chain security, including dependency management and integrity verification.
Contributions to open-source security tools, security research, or industry standards bodies.
Certifications such as GWEB, GWAPT, OSWE, or CSSLP a plus, but not required.
Yahoo is proud to be an equal opportunity workplace. All qualified applicants will receive consideration for employment without regard to, and will not be discriminated against based on age, race, gender, color, religion, national origin, sexual orientation, gender identity, veteran status, disability or any other protected category. Yahoo will consider for employment qualified applicants with criminal histories in a manner consistent with applicable law. Yahoo is dedicated to providing an accessible environment for all candidates during the application process and for employees during their employment. If you need accessibility assistance and/or a reasonable accommodation due to a disability, please submit a request via the Accommodation Request Form (www.yahooinc.com/careers/contact-us.html) or call +1.866.772.3182. Requests and calls received for non-disability related issues, such as following up on an application, will not receive a response.
Yahoo has a high degree of flexibility around employee location and hybrid working. In fact, our flexible-hybrid approach to work is one of the things our employees rave about. Most roles don’t require specific regular patterns of in-person office attendance. If you join Yahoo, you may be asked to attend (or travel to attend) on-site work sessions, team-building, or other in-person events. When these occur, you’ll be given notice to make arrangements.
If you’re curious about how this factors into this role, please discuss with the recruiter.
Currently work for Yahoo? Please apply on our internal career site.